From a24570ae0613d9f5417f0144559a7917267e3de4 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Fri, 20 May 2011 18:26:43 +0100 Subject: [PATCH] SEC-1744: Do not trust authorities contained in the authentication request in JaasAuthenticationProvider. --- .../authentication/jaas/JaasAuthenticationProvider.java | 1 - .../authentication/jaas/JaasAuthenticationProviderTests.java | 5 ++--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationProvider.java b/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationProvider.java index 41f3335e2b..b3cb8a2472 100644 --- a/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationProvider.java +++ b/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationProvider.java @@ -182,7 +182,6 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli // Create a set to hold the authorities, and add any that have already been applied. authorities = new HashSet(); - authorities.addAll(request.getAuthorities()); // Get the subject principals and pass them to each of the AuthorityGranters Set principals = loginContext.getSubject().getPrincipals(); diff --git a/core/src/test/java/org/springframework/security/authentication/jaas/JaasAuthenticationProviderTests.java b/core/src/test/java/org/springframework/security/authentication/jaas/JaasAuthenticationProviderTests.java index c922d35729..f0f543e439 100644 --- a/core/src/test/java/org/springframework/security/authentication/jaas/JaasAuthenticationProviderTests.java +++ b/core/src/test/java/org/springframework/security/authentication/jaas/JaasAuthenticationProviderTests.java @@ -179,7 +179,7 @@ public class JaasAuthenticationProviderTests { @Test public void testFull() throws Exception { - List defaultAuths = AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO"); + List defaultAuths = AuthorityUtils.createAuthorityList("ROLE_ONE"); UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password", defaultAuths); @@ -196,8 +196,7 @@ public class JaasAuthenticationProviderTests { assertTrue("GrantedAuthorities should contain ROLE_TEST1", list.contains(new GrantedAuthorityImpl("ROLE_TEST1"))); assertTrue("GrantedAuthorities should contain ROLE_TEST2", list.contains(new GrantedAuthorityImpl("ROLE_TEST2"))); - assertTrue("GrantedAuthorities should contain ROLE_1", list.contains(defaultAuths.get(0))); - assertTrue("GrantedAuthorities should contain ROLE_2", list.contains(defaultAuths.get(1))); + assertFalse("GrantedAuthorities should not contain ROLE_ONE", list.contains(defaultAuths.get(0))); boolean foundit = false;